DPDP Act vs GDPR: A Detailed Comparison for Businesses Operating in India and Europe
Side-by-side comparison of India's DPDP Act and EU's GDPR covering consent, rights, penalties, timelines, and scope. What GDPR-compliant companies still need to do.
If your business already complies with the EU’s General Data Protection Regulation (GDPR), you might assume that India’s Digital Personal Data Protection Act, 2023 (DPDP Act) is covered. That assumption is wrong — and potentially expensive.
While the DPDP Act borrows concepts from GDPR, it diverges in critical ways. There is no legitimate interest basis for processing. The children’s data threshold is 18, not 16. Consent withdrawal must be processed in 7 days, not 30. And every single data breach must be reported, not just the high-risk ones.
This guide provides a detailed, clause-by-clause comparison so you can identify exactly where your existing GDPR compliance falls short for India.
Master Comparison Table: DPDP Act vs GDPR
| Aspect | DPDP Act (India) | GDPR (EU) |
|---|---|---|
| Full name | Digital Personal Data Protection Act, 2023 | General Data Protection Regulation (2016/679) |
| Effective date | Expected enforcement: May 13, 2027 | May 25, 2018 |
| Scope | Digital personal data of individuals in India | Personal data of individuals in the EU/EEA |
| Territorial reach | Applies to processing outside India if offering goods/services to individuals in India | Applies to processing outside EU if offering goods/services or monitoring behavior in the EU |
| Regulator | Data Protection Board of India (DPBI) | National Data Protection Authorities (one per member state) + European Data Protection Board (EDPB) |
| Data controller term | Data Fiduciary | Data Controller |
| Data processor term | Data Processor | Data Processor |
| Data subject term | Data Principal | Data Subject |
Consent: The Biggest Difference
Consent is where the DPDP Act and GDPR diverge most sharply. GDPR provides six legal bases for processing personal data. The DPDP Act effectively provides two: consent and certain legitimate uses defined in the Act.
Legal Bases for Processing
| Legal Basis | DPDP Act | GDPR |
|---|---|---|
| Consent | Yes — primary basis | Yes — one of six bases |
| Legitimate interest | No — does not exist in the DPDP Act | Yes — balancing test required |
| Contractual necessity | Partially — covered under “certain legitimate uses” | Yes — explicit basis |
| Legal obligation | Yes — covered under “certain legitimate uses” | Yes — explicit basis |
| Vital interests | Yes — medical emergencies covered | Yes — explicit basis |
| Public interest/official authority | Yes — State processing covered | Yes — explicit basis |
| Employment purposes | Yes — covered under “certain legitimate uses” | Falls under legitimate interest or contract |
What this means for GDPR-compliant companies:
If you rely on “legitimate interest” as your legal basis for any data processing in the EU, you cannot use the same basis in India. You must either:
- Obtain explicit consent from Indian Data Principals, or
- Fit your processing within one of the narrow “certain legitimate uses” defined in the Act
This affects common scenarios like:
- Marketing emails to existing customers — Legitimate interest under GDPR, but requires consent under DPDP
- Fraud detection and prevention — Legitimate interest under GDPR, may need explicit consent under DPDP unless it falls under a permitted use
- Analytics for business improvement — Often legitimate interest under GDPR, requires consent under DPDP
- Employee background checks — Legitimate interest under GDPR, needs explicit consent or must fall under employment-related legitimate use under DPDP
Consent Requirements Compared
| Requirement | DPDP Act | GDPR |
|---|---|---|
| Freely given | Yes | Yes |
| Specific | Yes | Yes |
| Informed | Yes — clear notice in plain language | Yes — clear and plain language |
| Unambiguous | Yes | Yes |
| Granular (purpose-specific) | Yes — consent for each specified purpose | Yes — purpose limitation |
| Affirmative action | Yes — no pre-ticked boxes | Yes — no pre-ticked boxes |
| Withdrawal mechanism | Must be as easy as giving consent | Must be as easy as giving consent |
| Withdrawal processing time | 7 days (expected per Draft Rules) | 30 days (without undue delay) |
| Language | Must be available in all 22 languages in the Eighth Schedule of the Constitution | Must be in a language the data subject understands |
| Records | Must maintain records of consent | Must be able to demonstrate consent |
Critical difference — the 7-day withdrawal window: Under GDPR, “without undue delay” has been interpreted as approximately 30 days. The DPDP Act Draft Rules propose a much stricter 7-day window for processing consent withdrawals. This means your systems must be capable of stopping data processing within 7 days of receiving a withdrawal request.
Data Principal Rights vs Data Subject Rights
Both frameworks grant individuals rights over their personal data, but the scope differs.
| Right | DPDP Act | GDPR |
|---|---|---|
| Right to access | Yes — summary of data and processing activities | Yes — copy of data and processing details |
| Right to correction | Yes | Yes (Right to rectification) |
| Right to erasure | Yes — when data is no longer necessary or consent is withdrawn | Yes (Right to be forgotten) — broader grounds |
| Right to portability | No — not explicitly provided | Yes — receive data in machine-readable format |
| Right to restrict processing | No — not explicitly provided | Yes |
| Right to object | No — withdrawal of consent serves a similar function | Yes — including objection to profiling |
| Right against automated decision-making | No — not explicitly provided | Yes — right to human review of automated decisions |
| Right to grievance redressal | Yes — designated officer must respond | Complaint to DPA |
| Right to nomination | Yes — nominate someone to exercise rights after death or incapacity | Not explicitly provided (varies by member state) |
Key takeaway: The DPDP Act provides a narrower set of individual rights than GDPR. However, the rights it does provide must be taken seriously because the penalty for non-compliance is up to Rs 200 Crore.
The right to nomination is unique to the DPDP Act. Data Principals can nominate another individual to exercise their rights in case of death or incapacity. Your systems must support this.
Children’s Data: A Major Divergence
The treatment of children’s data is one of the starkest differences between the two laws.
| Aspect | DPDP Act | GDPR |
|---|---|---|
| Age of majority for data processing | 18 years | 16 years (member states can lower to 13) |
| Parental consent required | Yes — verifiable consent from parent/guardian | Yes — for children below the age threshold |
| Behavioral tracking of children | Prohibited | Restricted but not outright banned |
| Targeted advertising to children | Prohibited | Restricted (must not exploit inexperience) |
| Processing harmful to children | Prohibited | General data protection principles apply |
| Age verification | Required (method not specified) | Required (method not specified) |
What this means in practice:
If your platform has users in India under age 18, you must:
- Implement age verification
- Obtain verifiable parental or guardian consent for each user under 18
- Completely disable behavioral tracking for minors
- Completely disable targeted advertising for minors
- Not process their data in any manner detrimental to their wellbeing
This is significantly stricter than GDPR. A 17-year-old can independently consent to data processing in most EU countries under GDPR, but in India, their parent or guardian must consent on their behalf.
Industries most affected: Social media, gaming, ed-tech, e-commerce, any platform with a youth user base.
Breach Notification: Stricter in India
India’s approach to breach notification is more demanding than GDPR’s in several ways.
| Aspect | DPDP Act | GDPR |
|---|---|---|
| Notification to authority | Required for all personal data breaches | Required only when breach is likely to result in a risk to individuals |
| Authority notification timeline | 72 hours to DPBI + 6 hours to CERT-In (existing law) | 72 hours to the relevant DPA |
| Notification to individuals | Required for all breaches | Required only for high risk breaches |
| Individual notification timeline | Without undue delay | Without undue delay |
| Materiality threshold | None — all breaches, regardless of severity | Risk-based assessment required |
| Record-keeping | Required | Required |
The critical difference: Under GDPR, you assess each breach to determine if it poses a risk to individuals. Many minor breaches (e.g., a brief unauthorized access with no data exfiltration) may not require notification. Under the DPDP Act, every personal data breach must be reported to both the DPBI and affected individuals. There is no threshold.
Additionally, the 6-hour CERT-In requirement (from the CERT-In Directions of 2022) is one of the fastest mandatory reporting timelines in the world. Your incident response plan must account for this.
Penalties: Fixed vs. Revenue-Based
| Factor | DPDP Act | GDPR |
|---|---|---|
| Maximum fine | Rs 250 Crore (~USD 30M) | EUR 20M or 4% of global annual turnover (whichever is higher) |
| Calculation method | Fixed ceiling per violation category | Revenue-based percentage |
| Stacking | Multiple categories can stack | Per violation |
| Criminal penalties | None | Varies by member state (some have criminal provisions) |
| Individual compensation | Not explicitly provided | Data subjects can claim compensation |
| Penalty for individuals (data subjects) | Up to Rs 10,000 for false complaints | None |
| Regulatory discretion | DPBI has broad discretion within the ceiling | DPAs follow EDPB guidelines on fine calculation |
For large multinational companies: GDPR fines can vastly exceed DPDP fines. A company with EUR 10 billion in revenue faces a theoretical GDPR maximum of EUR 400 million, while the DPDP maximum is approximately EUR 28 million.
For smaller companies: DPDP fines can be disproportionately harsh. A startup with Rs 5 Crore revenue faces the same Rs 250 Crore maximum as a large enterprise.
Cross-Border Data Transfers
| Aspect | DPDP Act | GDPR |
|---|---|---|
| Default position | Transfers allowed unless restricted by government notification | Transfers restricted unless adequate safeguards in place |
| Adequacy decisions | Government will issue a negative list (countries where transfers are restricted) | European Commission issues positive list (countries deemed adequate) |
| Standard Contractual Clauses (SCCs) | Not provided in the Act | Yes — widely used |
| Binding Corporate Rules (BCRs) | Not provided in the Act | Yes — for intra-group transfers |
| Data localization | No general data localization requirement; government can restrict specific transfers | No general localization; some member states have sector-specific requirements |
The approach is inverted: GDPR says “transfers are blocked unless you prove adequacy.” The DPDP Act says “transfers are allowed unless the government specifically blocks a country.” This is simpler in some ways but creates uncertainty — the negative list has not yet been published, so businesses do not know which countries will be restricted.
What GDPR-Compliant Companies Still Need to Do for DPDP
If you already comply with GDPR, here is a focused checklist of what you still need to address for DPDP compliance.
1. Audit Your Legal Bases
- Identify all processing activities that rely on legitimate interest — These need a new legal basis under DPDP (likely consent)
- Review contractual necessity claims — Ensure they fit within DPDP’s “certain legitimate uses”
- Document the DPDP legal basis for each processing activity separately from your GDPR records
2. Redesign Consent Flows for India
- Implement 7-day consent withdrawal processing — Your GDPR systems may only support 30 days
- Add language support — DPDP requires consent notices in languages from the Eighth Schedule (Hindi, Bengali, Tamil, Telugu, Marathi, and 17 others)
- Review granularity — Ensure consent is collected per purpose, not bundled
- Audit pre-existing consent — Consent collected before DPDP may not meet the new standard
3. Update Children’s Data Handling
- Raise the age threshold from 16 to 18 for Indian users
- Implement parental/guardian consent verification for all users aged 13-17 (who were previously okay under GDPR in most countries)
- Disable behavioral tracking and targeted advertising for Indian users under 18
- Review content recommendation algorithms for potential harm to minors
4. Overhaul Breach Notification Procedures
- Remove materiality assessments for Indian data — Every breach involving Indian Data Principals must be notified
- Add CERT-In to your notification workflow — 6-hour timeline
- Create separate notification templates for DPBI, CERT-In, and Data Principals
- Update incident response plans to account for the faster timelines
5. Adjust Data Subject Rights Handling
- Add nomination support — Allow Data Principals to nominate someone to exercise their rights
- Update response SLAs — DPDP response timelines may be stricter than your GDPR processes
- Designate a grievance officer — DPDP requires a specific contact person, not just a generic email
- Remove data portability from your India-facing rights dashboard (it is not a right under DPDP, and offering it voluntarily could set expectations)
6. Appoint India-Specific Roles
- If designated as an SDF: Appoint a Data Protection Officer based in India (your EU DPO cannot serve this role remotely)
- Appoint a grievance officer for handling Data Principal complaints
- Appoint an independent data auditor (if SDF) — this person must be separate from your internal audit team
7. Review Data Processing Agreements
- Update contracts with Indian processors to reflect DPDP terminology and obligations
- Ensure sub-processor obligations align with DPDP requirements
- Review data retention clauses — DPDP requires deletion when purpose is fulfilled or consent is withdrawn
Side-by-Side Implementation Checklist
| Task | GDPR Status | DPDP Action Needed |
|---|---|---|
| Lawful basis documentation | Done (6 bases) | Redo for DPDP (no legitimate interest) |
| Consent management platform | Done | Update for 7-day withdrawal, multi-language |
| Privacy notice | Done | Create India-specific version with DPDP terminology |
| Children’s age verification | Set to 16 | Raise to 18 for India |
| Behavioral tracking controls for minors | Restricted | Completely prohibited under 18 |
| Breach notification plan | Risk-based | All breaches, add CERT-In 6-hour requirement |
| Data portability system | Built | Not required (may remove from India-facing UI) |
| Right to object mechanism | Built | Not applicable (consent withdrawal instead) |
| Nomination system for rights | Not built | Must build for DPDP |
| DPO appointment | EU-based DPO | India-based DPO needed if designated SDF |
| Cross-border transfer mechanisms | SCCs/BCRs | Monitor government’s negative list |
| Data retention policies | Documented | Review for DPDP “purpose fulfillment” deletion |
| Grievance officer designation | DPA contact exists | Named individual required |
Common Misconceptions
“GDPR compliance means DPDP compliance.” False. While there is overlap, the differences in legal bases, consent requirements, children’s data rules, breach notification, and available rights mean GDPR compliance covers approximately 60-70% of DPDP requirements.
“DPDP is less strict than GDPR because fines are lower.” Partially true for large companies, but misleading overall. DPDP is stricter than GDPR in several areas: no legitimate interest, higher children’s age threshold, mandatory notification for all breaches, and shorter consent withdrawal processing times.
“We only need to comply with one law.” False. If you process data of individuals in both India and the EU, you must comply with both laws simultaneously. Where they conflict (e.g., legitimate interest for EU data vs. consent for Indian data), you need separate processes for each jurisdiction.
“The DPDP Act is just GDPR with Indian characteristics.” Misleading. While structurally similar, the DPDP Act makes fundamentally different policy choices — particularly around the consent-centric model, the negative-list approach to cross-border transfers, and the prohibition on behavioral tracking of children.
Frequently Asked Questions
Can I use a single privacy policy for both GDPR and DPDP? You can have one document, but it must clearly address the requirements of both laws. You will need India-specific sections covering DPDP terminology, the available rights (which differ from GDPR), and your consent practices for India. Many companies find it cleaner to maintain separate privacy notices.
Do I need separate DPOs for India and the EU? If you are designated as a Significant Data Fiduciary in India, you must appoint a DPO based in India. This cannot be the same person as your EU DPO unless that person is based in India.
How do I handle a user who is both in the EU and India? Apply the stricter standard. In most cases, this means applying DPDP rules (e.g., treating them as under 18 for children’s provisions, obtaining explicit consent rather than relying on legitimate interest).
When should I start preparing for DPDP if I already comply with GDPR? Now. The expected enforcement date is May 2027, and the gap analysis, system changes, and consent re-collection processes take 6-12 months minimum.
Next Steps
Understanding the differences is the first step. The second step is identifying where your current setup falls short.
A website compliance scan can show you exactly where your current consent management, privacy notices, and data collection practices need to change for DPDP compliance.
Scan Your Website for DPDP Compliance — Free, instant results. See where your GDPR setup needs changes for India.
Check your DPDP compliance now
Free scan. No signup. Results in 60 seconds.
Scan Your Website arrow_forward